PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance
A big thanks to Andy Barratt [https://www.linkedin.com/in/andrewbarratt] -
Managing Director, Europe and QSA, Coalfire for his contribution to this
“Any darn fool can make something complex; it takes a genius to make something
simple.”― Peter Seeger
If you are the glorious knight responsible for getting your company up to
mandatory compliance levels (and keep it there), you could potentially feel
desperate facing this enormous and tedious undertaking. This is especially true
PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!
This newsletter clarifies what is expected to comply with PCI DSS 11.3:
Why is Pen-test needed?
In the same way that wellness checks support a doctor's diagnosis by determining
what's wrong or not working as expected (a.k.a. an analysis) and establish the
appropriate treatment (a.k.a. a remediation plan), penetration testing aims to:
* Determine and validate a diagnosis by determining the genuineness and
severity of identified vulnerabilities
* Validate that defense m
PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem
What's a Privileged account?
The term "Privileged account", also known as "High Privileged account" or "Super
user" refers to any type of account that holds special or extra permissions
within the enterprise systems.
They are generally categorized as:
* IT administrative accounts used to install or configure. E.g.UNIX root,
Windows Administrator accounts or accounts associated with database ownership
and network components.
* Identity and access management accounts used to manage use
PCI 30 seconds newsletter #35 - Patch management, how to comply with PCI.
In the newsletter #15 [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] I
addressed the problem of flaws in our working environments. As a follow up I'm
covering here the topic of patch management and its applicability within the
context of PCI, a domain of 49,5% compliance rate as per the Verizon 2014 PCI
What's a patch?
In the same way a needlewoman would apply a piece of cloth to repair a hole in
your favorite coat, a patch or fix is a piece of software that can be ap
PCI 30 seconds newsletters published so far.
This is the list of PCI 30 seconds newsletters published so far. If you like
them, please tell us, share them, follow me on twitter or linkedin to not miss
the next ones. Suggest some topics you would like to see addressed. If you don't
like them, tell us how we could enhanced them.
#1 - PCI what are you talking about?
#2 - Payment processing terminology and workflow
PCI 30 seconds newsletter #34 - PCI DSS Version 3 Changes and Impact - Should You Care?
I'm here again with a song in mind: Why should I care?
You have probably noticed that PCI DSS Version 3 is available! It is applicable
on a voluntary basis until Jan 2015, when it becomes mandatory. But, should you
care? Should you prepare yourselves? Well, it depends.
In this newsletter, I'm sharing with you the result of my analysis of the new
version of the PCI Bible. You will learn what has changed and what the impact is
for companies already in compliance with PCI DSS version 2 (V2).
PCI 30 seconds newsletter #33 - Key take-away from the PCI Community meeting 2013
I have been attending the PCI Community meetings since the early days. I
remember each one of them. Not really the content, but about the people
representing PCIco, the brands, organizations subjected to compliance, and the
security communities (QSA's, ASV's, PFI's, solution providers). They are my key
rational for attending such great events. Getting in touch with the community,
networking, sharing and exchanging on our field experience is a great
opportunity and in that matter this year was
PCI 30 seconds newsletter #32 - Money for nothing
Starting this newsletter with two famous songs in mind: "Money" by Pink Floyd
and "Money for nothing" by Dire Straits.
If I ask you to give me the most common PCI keywords that come to mind, you
will most probably answer: Security, Credit Card, Compliance and…Cost.
MONEY is definitely a key argument both for the PCI supporters and the PCI
critics. The former emphasize the cost for the organization in case of a breach
while the latter underline the associated cost of implementation and
PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework
Strong Cryptography is referred to by PCI DSS through the following
2.3 - Encrypt all non-console administrative access using strong cryptography.
Use technologies such as SSH, VPN, or SSL/TLS for web- based management and
other non- console administrative access.
4.1 - Use strong cryptography and security protocols (for example, SSL/TLS,
IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission
over open, public networks.
Cryptographic solutions are also su
PCI 30 seconds newsletter #30 - Trainings your organization must deliver to comply with PCI DSS
PCI-DSS requires organizations subjected to compliance to deliver three specific
trainings, namely: Security Awareness, Secure Coding and Incident response. This
newsletter describes what you should know about them in terms of What, Who and
Associated PCI DSS requirement: 12.6
Audience: Any individual having access to data or system components part of the
Objectives: In all domains, awareness of the risks and available safeguards are
the first line of defe
PCI 30 seconds newsletter #29 - Do all PCI DSS requirements apply?
I recently assisted a medium size organization to align with PCI. The gap
analysis and design phase raised a number of concerns from their side. All of
the concerns started as something similar to: "Why do we need this? It induces
Implementing protection mechanisms without considering their added values and
impact on the environment and the business does not make sense. Security is a
risk mitigation and management discipline and all security responsible
individuals know perfectly
PCI 30 Seconds newsletter #28 - The PCI Library - What docs are required for compliance?
Compliance programs are heavily based on documentation and PCI does not make an
exception. Technical and non-technical documents are a major part of the PCI
journey and certainly of the compliance audit. Documents (technical description,
diagram, policies, procedures, standards, audit trails, scan reports, pen test
report, risk analysis report, test report,…) are the auditor's food.
Therefore, beside the technical specificities, no one should neglect or
underestimate the effort and time neces
PCI 30 seconds Newsletter #27 - Should I disable my protection system for ASV scans?
In the context of intrusion detection and prevention, PCI DSS requires
implementation/configuration of Firewalls (Req 1), Anti-virus (Req 5) and
Intrusion detection systems (IDS) (Req 11.4). Optionally, organizations are
invited to consider the use of Intrusion Prevention Systems (IPS) in place or in
addition to IDS (Req 11.4) as well as Web Application Firewalls (Req 6.6).
The first group of required protection systems is known as static systems. They
do not dynamically modify their behavior.
PCI 30 seconds newsletter #26 - PCIP is it worth it?
At the last PCI Community meeting the Council introduced a new certification
(yes one more!). After, ASV, QSA, P2PE QSA, ISA, PFI, QIR, there it is: The PCIP
(Payment Card Industry Professionals) certification.
Firstly, to answer a valid concern from the QSA and ISA employees. QSA and ISA
certifications are not assigned to individuals but to the couple (company,
employee). Therefore the QSA/ISA employee status is lost whenever the
individuals leave their employers. This fact is poorly know
PCI 30 seconds newsletter #25 - A New Standard is Born.
PCI SSC is putting the finalizing touches to two new standards (Physical and
Logical Security Requirements) for card manufacturers and card personalization
After having co-authored the first version of the PCI DSS and having designed
and led the ASV certification program on behalf of PCIco, I've been assigned
with another critical mission for a "secret" department at Mastercard, the
Global Vendor Certification Program. My role was to write a set of logical
security requirements to mini